nodejs developers urged to check their projects for vulnerable package
UPDATED A potentially “catastrophic” security vulnerability in Netmask, an NPM package used by more than 279,000 open source projects, has been patched after lying undiscovered for nine years.
The improper input validation flaw could allow remote, unauthenticated attackers to achieve server-side request forgery (SSRF) in downstream applications, according to a technical write-up published on Sunday (March 28) by security researcher Sick Codes (‘Sick.Codes’).
Among others, the “lightweight” package is used by APIs, security software, crypto projects, and both back-end and front-end projects, according to Codes.
Which dependencies are vulnerable “depends entirely on how the project uses it”, he added.
The problem surfaced when security researchers including Codes were crafting a fix for a separate, critical, SSRF vulnerability (CVE-2020-28360) in downstream package Private-IP, which is used to restrict private IP addresses from interacting with an application’s internal resources.
Netmask was used during the remediation process, specifically to help the researchers define IP address ranges or blocks using simpler notation.
When fellow researcher Victor Viale found a second SSRF bypass in Private-IP, Codes initially “thought another developer had reverted Private-IP back to regex after we added netmask”. However, it then transpired “that only IPv6 was being filtered using regex”, and that the bypass originated upstream.
‘Inordinate attack surface’
The root cause of the problem turned out to be Netmask’s incorrect evaluation “of individual IPv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on Netmask to filter or evaluate IPv4 block ranges, both inbound and outbound”, according to a GitHub security advisory posted by Codes.
The researcher described the impact as “catastrophic”, claiming the bug could also enable remote or local file inclusion attacks on certain dependencies.
“There’s literally so many vulnerabilities cause[d] by this that it will make your head spin”, continued Codes.
Asked for scenarios in which the bug might be exploited to achieve SSRF, the researcher cited a cloud platform with an ISO upload feature.
“If that cloud uses netmask, then the user might be able to submit http://0184.108.40.206:/root/.ssh/id_rsa, and instead of the application fetching the ISO, it gets the file locally,” the researcher told The Daily Swig.
This “devastating” attack “works if FTP is running”.
Conversely, with certain VPNs “you could force an app to use 010.0.05, which would try to reach 10.0.0.5 on the private network, but actually that is a public IP 220.127.116.11”.
Ax Sharma, security researcher at Sonatype, commented: “This highlights the need for proper input hygiene and never trusting input no matter the source.” Netmask’s fixes, he added, “now take into account that IP addresses can also be provided in octal or hexadecimal formats, something users of netmask could also have implemented on their end as an extra precaution.”
The vulnerability (CVE-2021-28918) affects Netmask v1.1.0 and below.
It was discovered on March 16 and reported to the project maintainer the next day (March 17).
After an initial fix inadvertently and briefly created another vulnerability, a fresh patch issued in v2.0 on March 20 then created yet another bug (CVE-2021-29418), prompting the maintainer to update again to v2.0.1, which landed on March 29.
Codes urged nodejs developers to check their projects for use of Netmask and upgrade immediately if they find the package in use.
Node-netmask maintainer and Netflix engineering director Olivier Poitrey “was super responsive and worked with us on the fixes, especially in getting the first patch out literally days after we reported it”, said the researcher.
No safety in numbers
The vulnerability is a salutary reminder of the potentially disproportionate repercussions of a serious security flaw in a single, popular open source component.
Codes pointed out that the 30 billion nodejs packages installed last week were mostly downloaded by automated CI/CD pipelines and with no manual runtime inspections.
The research is only the latest challenge to the misconception that, as Codes puts it, “if everyone else is using” an open source component, then “it must be” secure.
Earlier in March, for instance, exploitation of the novel ‘dependency confusion’ technique led to NPM Registry and Python Package Index (PyPI) maintainers removing thousands of rogue packages that bore the same name as popular legitimate components.
And Private-IP, which is downloaded around 15,000 times a week, was in the headlines for another SSRF vulnerability in November, with attackers potentially able to circumvent the package’s IP-blocking mechanism to perform multiple SSRF exploits.
This article was updated on March 30 to reflect the discovery and remediation of another flaw in Netmask arising from a flawed patch.
The Daily Swig has contacted the project maintainer for Netmask. We will update the article if and when we receive a response.